Skip to main content

New Android malware can steal your Facebook account: How to stop it

Facebook logo on Android phone superimposed over word 'HACKED' on Matrix-like screen.
(Image credit: rafapress/Shutterstock)

A new strain of Android malware tries to hijack Facebook user accounts, though it's not certain what it plans to do with them.

Named Cookiethief by the Kaspersky researchers who discovered it, the malware gets "root" -- total system control -- on infected devices. It then finds Facebook session cookies and sends them to the remote server by which the malware operators command and control the devices.

"The exact means by which the Trojan was able to infect certain Android devices is not clear," Kaspersky's Anton Kivva and Igor Golovin said in a blog posting today (March 12). "However, it was not due to a vulnerability in the Facebook application or [the] browser itself."

How to protect yourself from Cookiethief

To protect yourself from Cookiethief and similar attacks, you'll need to block third-party cookies in your various Android browsers

In Chrome, click the three-vertical-dot menu button on the top right of the screen, tap Settings, scroll down to the Advanced section and tap Site Settings, tap Cookies and check "Block third-party cookies." 

In Firefox, it's Menu --> Settings --> Privacy --> Cookies, then select "Enabled, excluding 3rd party."  

In Opera, tap the O icon on the bottom right, tap Settings, scroll down to the Privacy section and tap Cookies, then select "Enabled, excluding third-party."

The Kaspersky researchers also advise periodically clearing your cookies, which also can be done from the various browsers' settings menus, and installing and using one of the best Android antivirus apps. 

You can also periodically log out of and then log back into your Facebook account in the Facebook app, which will reset the Facebook session cookie with logging you out of everything else.

How Cookiethief works

Session cookies are what allows you to stay logged into Facebook, or many other online services, for months at a time without having to log back in, even if you reboot your computer or mobile device. An attacker could use a session cookie to take over your account without knowing your password.

Facebook has geographic safeguards against session-cookie misuse. For example, it checks to make sure that the person using the cookie is accessing your account from, say, Indiana instead of Indonesia. 

But Cookiestealer gets around that. It installs a second piece of malware that creates a proxy server on an Android device. The proxy server spoofs the account owner's geographic location so it looks like the attacker, who could be anywhere in the world, would be accessing Facebook from the real user's home area.

"By combining these two attacks, cybercriminals can gain complete control over the victim's account and not raise a suspicion from Facebook," the Kaspersky researchers wrote. "These threats are only just starting to spread, and the number of victims, according to our data, does not exceed 1,000, but the figure is growing."

Cookiethief even tries to pass itself off as the popular kids' online game Roblox -- its Android package name is com.lob.roblox, as opposed to the actual Android Roblox app, which is com.roblox.client. We weren't able to find the fake app in the most popular off-road Android app stores.

What Cookiethief does with the hijacked Facebook accounts isn't yet known, but Kivva and Golovin said they "found a page advertising services for distributing spam on social networks and messengers" on Cookiethief's command-and-control server.  Taking over dozens or hundreds of Facebook accounts would be an effective way to spread spam.